CVE-2023-30013
published 2023-05-05CVE-2023-30013: TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability…
PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
25.89%
97.7th percentile
TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| totolink | x5000r_firmware | — | — |
| totolink | x5000r_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TOTOLINK setTracerouteCfg Command Injection Attempt (CVE-2023-30013)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/cstecgi.cgi"; fast_pattern; http.request_body; content:"|7b 22|command|22 3a 22|"; startswith; content:"|3b|"; distance:0; content:"|3b 22 2c 22|"; distance:0; content:"topicurl|22 3a 22|setTracerouteCfg|22 7d|"; endswith; reference:url,attackerkb.com/topics/xnX3I3PEgM/cve-2023-30013; reference:cve,2023-30013; classtype:attempted-admin; sid:2048119; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2023_09_19, cve CVE_2023_30013, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_09_19, reviewed_at 2023_09_19, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)
bytes
|7b 22|command|22 3a 22|
bytes
topicurl|22 3a 22|setTracerouteCfg|22 7d|
- →Exploit targets HTTP POST to /cgi-bin/cstecgi.cgi with a JSON body containing the 'command' parameter and 'topicurl':'setTracerouteCfg'; no authentication is required. ↗
- →Successful exploitation response (body_1) contains strings 'lan_ip' and 'reserv'; a follow-up GET request to the dropped file will return '.sh' or '.cgi' filenames, confirming RCE.
- →The injection payload uses semicolons (0x3b) as shell command separators within the JSON 'command' value; the Snort rule keys on byte sequence |3b| (';') appearing after the command value start.
- →Exploitation results in full root-level access since the webserver typically runs as root on affected TOTOLINK devices. ↗
- ·Multiple TOTOLINK device models beyond X5000R are affected by the same vulnerability in setTracerouteCfg; detections should not be scoped to X5000R alone. ↗
- ·The vulnerability is unauthenticated; perimeter-only deployment of the Snort rule is insufficient — internal deployment is also recommended. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS TOTOLINK setTracerouteCfg Command Injection Attempt (CVE-2023-30013)
suricata·2023-09-19·CVSS 9.8
CVE-2023-30013 [CRITICAL] ET WEB_SPECIFIC_APPS TOTOLINK setTracerouteCfg Command Injection Attempt (CVE-2023-30013)
ET WEB_SPECIFIC_APPS TOTOLINK setTracerouteCfg Command Injection Attempt (CVE-2023-30013)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TOTOLINK setTracerouteCfg Command Injection Attempt (CVE-2023-30013)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/cstecgi.cgi"; fast_pattern; http.request_body; content:"|7b 22|command|22 3a 22|"; startswith; content:"|3b|"; distance:0; content:"|3b 22 2c 22|"; distance:0; content:"topicurl|22 3a 22|setTracerouteCfg|22 7d|"; endswith; reference:url,attackerkb.com/topics/xnX3I3PEgM/cve-2023-30013; reference:cve,2023-30013; classtype:attempted-admin; sid:2048119; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2023_09_19, cve CVE_2023_30013, deployment P
Metasploit
TOTOLINK Wireless Routers unauthenticated remote command execution vulnerability.
metasploit
TOTOLINK Wireless Routers unauthenticated remote command execution vulnerability.
TOTOLINK Wireless Routers unauthenticated remote command execution vulnerability.
Multiple TOTOLINK network products contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter. After exploitation, an attacker will have full access with the same user privileges under which the webserver is running (typically as user `root`, ;-). The following TOTOLINK network products and firmware are vulnerable: - Wireless Gigabit Router model X5000R with firmware X5000R_V9.1.0u.6118_B20201102.zip; - Wireless Gigabit Router model A7000R with firmware A7000R_V9.1.0u.6115_B20201022.zip; - Wireless Gigabit Router model A3700R with firmware A3700R_V9.1.2u.6134_B20201202.zip; - Wireless N Router mode
Nuclei
TOTOLink - Unauthenticated Command Injection
nuclei·CVSS 9.8
CVE-2023-30013 [CRITICAL] TOTOLink - Unauthenticated Command Injection
TOTOLink - Unauthenticated Command Injection
TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.
Template:
id: CVE-2023-30013
info:
name: TOTOLink - Unauthenticated Command Injection
author: gy741
severity: critical
description: |
TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 contain a command insertion vulnerability in setting/setTracerouteCfg. This vulnerability allows an attacker to execute arbitrary commands through the "command" parameter.
impact: |
Unauthenticated attackers can execute arbitrary OS commands on the TOTOLINK X5000R router, leading to complete device compromise, n
http://packetstormsecurity.com/files/174799/TOTOLINK-Wireless-Routers-Remote-Command-Execution.htmlhttps://github.com/Kazamayc/vuln/tree/main/TOTOLINK/X5000R/2http://packetstormsecurity.com/files/174799/TOTOLINK-Wireless-Routers-Remote-Command-Execution.htmlhttps://github.com/Kazamayc/vuln/tree/main/TOTOLINK/X5000R/2
2023-05-05
Published